HEALTH TRAIN EXPRESS
Follow or subscribe to Health Train Express as well as Digital Health Space for all the updates for health policy, reform, public health issues. Health Train Express is published several times a week.Subscribe and receive an email alert each time it is published. Health Train Express has been published since 2006.

Tuesday, February 15, 2011

Who is Reading Your Medical Records?

Privacy and Confidentiality issues are now out the physician’s domain and responsibilty.

Not surprisingly FierceHealth IT reports that security breaches of personal health information is widespread.

Although paper charts were cumbersome, they were locked up at one location, not floating around in cyberspace. I am sure these charts were read by others not authorized to do so, however it was near impossible to document this occurrence.

Today we have IT whereby access to medical records can be tracked and the burden for keeping it safe largely now lies with non-medical personel. Pandora’s box was opened, with the use of EMRs,HIEs and HIPAA has lost the keys.

The situation will only worsen with implemention of health information exchanges.

FierceHealth IT reports

Hackers and other malefactors steal a surprising amount of personal health information by breaching computer security. Between August 2009 and December 2010, the electronic health records of more than 6 million individuals were compromised, and 61 percent of those security breaches were the result of malicious intent, according to Redspin, a leading provider of HIPAA risk analysis and IT security assessment services.

The Redspin report focuses only on breaches involving more than 500 people, which must be reported to the Department of Health and Human Services. This report is limited to breaches involving more than 500 people as required by HIPAA regulations.

The breakdown of events:

Business associates accounted for 40 percent of all the records breached. But that percentage, too, might be larger than reported. Although business associates are required to report breach incidents to healthcare providers within 60 days of their occurrence, it's not hard to imagine situations in which they fail to do so.

The report found that the security breaches occurred in 43 states, Washington, D.C., and Puerto Rico. Each breach affected 27,000 people on average, and breaches involving laptops and other mobile devices impacted on an average of 66,000 people. The latter accounted for 44 percent of all incidents and 65 percent of all records breached, suggesting that the theft or loss of mobile devices is as major a reason for breaches as hacking.

The cost of these breaches to the HIT systems goes far beyond the hardware and software systems put in place to secure the records as seen in this typical scenario which FierceHealth documents.:

Enforcement of breaches is a nightmare to all concerned in regard to notifications. All suspected people whose records were breached must be notified by HHS, after the breach has been reported, One breach must be assumed to involve all records compromised. So the problem is multiplied enormously with the requsite expense of notifications. The enforcement burden on HHS and/or Justice, obviously strains the system and probably has not been accounted for in the cost of health care.

Even unintentional breaches can be triggered by an innocent clerk entering the incorrect data field on a mailing list.

HIPAA has been modified to have a “threshold factor” and organizations are not required to notify HIPAA if no harm has been done. That proposition involves proving a negative, a conundrum and catch 22 if there ever was one.

One CEO expert offered that putting the key on the gateway should also have ‘shredding” of the records by simple effective encryption techniques. That would seem obvious to anyone.

According to Fierce Health the CIOs of every health organization from hospitals, to nursing homes are on alert ! There are dangers here when a politically motivated attorney general may decide to go after a hospital to enhance his reputation.

Disclaimer

The opinions in this blog or other forms of social media are solely that of Gary M. Levin M.D. Dr. Levin has no financial interests in any medical devices which are discussed or which appear in the blog. Commentary taken from other sources are either quoted or referenced with attribution. Dr Levin does not endorse, nor give financial support to any political organizations.